Analysis of Phishing Attack Activities Carried out by the SwimSnake Black Industry Gang Using Malicious Documents
1.Overview
The “SwimSnake” black production gang has been active since the second half of 2022, launching a large number of fishing attacks and fraud activities against domestic users. This type of black spread malicious program variety, frequent replacement of kill-free means and infrastructure, attack targets involved in a wide range of industries. Recently, Antiy CERT has detected that the “SwimSnake” black product gang spread malicious Excel files against finance and taxation personnel, and induced users to click the hyperlinks to jump to fishing websites and download malicious programs from them.
After the malicious program is executed, the malicious Index. asp file is loaded, and then the malicious AutoHotKey, Python script and two Shellcodes are downloaded and executed in several stages, finally the remote control Trojan is executed in the memory of the victim computer. The remote control Trojan has the function of keylogger, clipboard monitor, screen capture and so on, and supports receiving and executing many kinds of remote control commands. “SwimSnake” black property gang attackers will usually use remote control Trojan horse to control the victim’s computer in the instant messaging software, impersonating the identity of the victim for subsequent attacks, fraud activities.
The “SwimSnake” gang is still frequently updating malware, kill-free methods and related infrastructure, and a certain number of users are still attacked and implanted into remote-controlled Trojans every day. Antiy CERT advises users to be vigilant when receiving files, and avoid clicking on executable programs, scripts, documents and other files whose security is unknown, so as to avoid suffering from “SwimSnake” attacks and causing unnecessary losses.
It is proved that the Terminal Defense System (IEP) of Antiy can effectively kill the remote control Trojan.
See Section IV for the inspection plan and Section V for the relevant protection suggestions.
2.Technical review
In this attack, the decoy file released by the attacker was an Excel file named “(June) Steal-Misinvolvement-Tax-Violation Enterprise List Published .xlsx,” which induced users to click “Click to view.” In order to jump to a fishing website.

As shown in the figure below, the user will download a compressed file named “List of Enterprises under Key Audit – Terminal. zip” after clicking any button in the website. It contains two documents: List of key audit enterprises – Terminal. exe, Index.asp.

Key Audit Enterprise List – Terminal. exe is a server tool called “SmartServer Intelligent Port Rapid Version,” which will load the Index. asp file in the same path after running. The Index. asp file contains malicious code, and after execution, the malicious AutoHotKey, Python script and two Shellcodes are downloaded in several stages, and finally the remote control Trojan named “Login Module .dll” is executed in memory. The remote control Trojan has the basic functions of keyboard recording, clipboard monitoring, screen capture and so on, and supports receiving and executing various remote control commands. The overall attack flow is shown in the figure below.

3.Sample analysis
3.1 List of key audit enterprises – Terminal. exe, Index.asp
The “List of Enterprises under Key Audit – Terminals. zip” package of the phishing website contains two files: List of Enterprises under Key Audit – Terminal. exe, Index.asp.

Key Audit Enterprise List – Terminal. exe is a server tool called “SmartServer Intelligent Port Rapid Version,” which will load the Index. asp file in the same path after running.

The attacker hides the malicious code in the Index. asp file. the malicious code downloads the file from the attacker’s server and saves it to a designated folder in the victim’s host, and uses the cmd command to execute the next stage of attack payload.

The file downloaded by the malicious code is shown in the following table.
Table 3-1 Files downloaded by malicious code
Download the file | Save path |
Hxxp: / / xingyuqiang1688 [.] vip / AHK.exe | C:\ Users\ Public\ Music\ Update\ AutoHotkey\ AutoHotkey.exe |
Hxxp: / / 43.135.72 [.] 124 / Run.ahk | C:\ Users\ Public\ Music\ Update\ AutoHotkey\ AutoHotkey.ahk |
Hxxp: / / xingyuqiang1688 [.] vip / 1.ahk | C:\ Users\ Public\ Music\ Update\ AutoHotkey\ 1.ahk |
3.2 Malicious AutoHotKey script
Autohotkey is a scripting language for creating automatic keyboard and mouse operation on Windows platform. an attacker uses AutoHotKey to execute coded malicious ahk scripts and obtain the next attack payload from the server. And create a scheduled task for AutoHotKey. exe.
Table 3-2 Files downloaded by malicious AutoHotKey script
Download
the file |
Save
path |
Remarks |
43.135.120
[.] 185 / py.rar |
C:\
Users\ Public\ Music\ python |
The
environment needed to run Python scripts |
43.135.72
[.] 124 / qd.jpg |
C:\
Users\ Public\ Music\ python |
Malicious
Python script files |
Xingyuqiang1688
[.] vip / resource.data |
C:\
Users\ Public\ Bandizip\ data |
Files
Related to Bandizip Compression Software |
Xingyuqiang1688
[.] vip / web32.exe |
C:\
Users\ Public\ Bandizip\ data |
|
Xingyuqiang1688
[.] vip / English.lang |
C:\
Users\ Public\ Bandizip\ langs |
|
Xingyuqiang1688
[.] vip / ark.x64.dll |
C:\
Users\ Public\ Bandizip |
|
Xingyuqiang1688
[.] vip / Bandizip.exe |
C:\
Users\ Public\ Bandizip |
|
Xingyuqiang1688
[.] vip / conFigureini |
C:\ Users\
Public\ Bandizip |
The attacker uses the Bandizip compression software to decompress py.rar using the password “Ly,” which contains the environment the Python script needs to run in.
3.3 Malicious Python scripts
Qd. jpg is a Shellcode loader written in Python that retrieves Shellcode from a specified URL encoded in Base64 and writes it to memory for execution.

3.4 Shellcode executes the PE file
This Shellcode is used to execute PE files in its code in memory.

The PE file inverts the hard-coded string and parses the C2 configuration information from it.

The PE file connects with the C2 server, obtains the Shellcode of the next stage and writes it into the registry HKEY _ CURRENT _ USER\ Console\ 0\ d33f351a4aeea5e608853d1a56661059.

The PE file then reads the Shellcode in the registry and executes it in memory, and writes the C2 information to HKEY _ LOCAL _ MACHINE\ SOFTWARE\ IpDates _ info.

3.5 Final load
The Shellcode executes the PE file in the memory. the PE file is a DLL file. the original name is called “Login Module. Dll,” and the export function is run.

The DLL file is remote control Trojan, with keyboard recording, clipboard monitoring, screen capture and other basic functions, and support receiving and executing a variety of remote control commands.

4.Inspection plan
4.1 Documents
File Path |
C:\ Users\ Public\ Music\ Update\ AutoHotkey\ AutoHotkey.exe |
C:\ Users\ Public\ Music\ Update\ AutoHotkey\ AutoHotkey.ahk |
C:\ Users\ Public\ Music\ python\ qd. zip |
C:\ Users\ Public\ Music\ python\ qd. jpg |
C:\ Users\ Public\ Music\ python\ py.rar |
C:\ Users\ Public\ Bandizip |
4.2 Registration Form
Registration Form | Content |
Hkey _ CURRENT _ USER\ Console\ 0\ d33f351a4aeea5e608853d1a56661059 | Refer to Figure 3-7 |
Hkey _ LOCAL _ MACHINE\ SOFTWARE\ IpDates _ info | Refer to Figure 3-8 |
4.3 Process
Process name | Remarks |
List of key audit enterprises – Terminal. exe | Smartserver Smart Port Rapid Version v 1.3 |
Python. exe | C:\ Users\ Public\ Music\ python\ pythonw.exe |
4.4 Planned tasks
Name of scheduled task | Path to start program |
Ahk | C:\ Users\ Public\ Music\ Update\ AutoHotKey\ AutoHotKey.exe |
4.5 Network
IoCs |
Hxxp: / / www.shuiwutl2 [.] cn |
Hxxp: / / xingyuqiang1688 [.] vip / AHK.exe |
Hxxp: / / 43.135.72 [.] 124 / Run.ahk |
Hxxp: / / xingyuqiang1688 [.] vip / 1.ahk |
Hxxp: / / 43.135.120 [.] 185 / py.rar |
Hxxp: / / 43.135.72 [.] 124 / qd.jpg |
Hxxp: / / xingyuqiang1688 [.] vip / resource.data |
Hxxp: / / xingyuqiang1688 [.] vip / web32.exe |
Hxxp: / / xingyuqiang1688 [.] vip / English.lang |
Hxxp: / / xingyuqiang1688 [.] vip / ark.x64.dll |
Hxxp: / / xingyuqiang1688 [.] vip / Bandizip.exe |
Hxxp: / / xingyuqiang1688 [.] vip / conFigureini |
Hxxp: / / xingyuqiang1688 [.] vip / 43.135.72.124.bin |
43.135.72 [.] 124: 6666 |
5.Recommendations for protection
In response to such threats, Antiy suggested that enterprises enhance the security awareness of business personnel and reduce the possibility of the organization being attacked; deploy the Antiy terminal defense system to protect the system security in real time. Users who have not deployed Anticon may use the Anticon security threat screening tool for screening when they discover or suspect that they are attacked by the “SwimSnake” gang.
5.1 Enhance the safety awareness of business personnel
Enhance the security awareness of business personnel and reduce the possibility of the organization being attacked. When financial, customer service, sales and other personnel use instant messaging applications such as WeChat and corporate WeChat, they shall not be induced to download and run various files from unknown sources due to the nature of work and interests. The organization can consolidate the “First Line of Safety Defense” by selecting safety awareness training services.
5.2 Deploy Atriplex to strengthen the terminal file receiving and execution protection
Deploy the enterprise-level terminal defense system, and detect the unknown files received by the protection instant messaging software in real time. The ATZ-A terminal defense system uses the ATZ next-generation threat detection engine to detect unknown source files and prevent them from landing and running through the core-level active defense capability.

5.3 Use safety threat detection tool to detect snake threat
Found or suspected of being attacked by the “SwimSnake” gang: Remote control Trojans launched by the “SwimSnake” gang during the attack; Download the safety threat detection tool (https://vs2.antiy.cn, special detection tool for “snake swimming”) from the safety vertical response platform, and quickly detect and detect such threats in the face of unexpected security incidents and special scenarios. Because the attack load used by the “SwimSnake” gang is iterative faster, and the non-killing technology is continuously updated, in order to more accurately and comprehensively eliminate the threat existing in the victim host, It is suggested that the customer contact Antiy Emergency Response Team (CERT @ antiy.cn) to handle the threat after using the special inspection tool to detect the threat.

6.IoCs
IoCs |
Fa707089ecacc42d857460513b07dc1d |
4b7fdcc9f207e2fcd1227b0f58f2631f |
9c9253b0cb78ea2c5a76caeefdac5960 |
7b7a654e99f2b96c0ee114cd49bacf9a |
539b6e91d0a92c999311e0d826315a07 |
49071b451329b2966769e35c7b75edc4 |
B91629da628f3ae8b22b361a0001b65c |
Hxxp: / / www.shuiwutl2 [.] cn |
Hxxp: / / xingyuqiang1688 [.] vip |
43.135.72 [.] 124 |
43.135.120 [.] 185 |
43.135.72 [.] 124: 6666 |
Appendix: About Antiy
Anty is committed to enhancing the network security defense capabilities of its customers and effectively responding to security threats. Through more than 20 years of independent research and development, Antiy has developed technological leadership in areas such as threat detection engines, advanced threat countermeasures, and large-scale threat automation analysis.
Antiy has developed IEP (Intelligent Endpoint Protection System) security product family for PC, server and other system environments, as well as UWP (Unified Workload Protect) security products for cloud hosts, container and other system environments, providing system security capabilities including endpoint antivirus, endpoint protection (EPP), endpoint detection and response (EDR), and Cloud Workload Protection Platform (CWPP) , etc. Antiy has established a closed-loop product system of threat countermeasures based on its threat intelligence and threat detection capabilities, achieving perception, retardation, blocking and presentation of the advanced threats through products such as the Persistent Threat Detection System (PTD), Persistent Threat Analysis System (PTA), Attack Capture System (ACS), and TDS. For web and business security scenarios, Antiy has launched the PTF Next-generation Web Application and API Protection System (WAAP) and SCS Code Security Detection System to help customers shift their security capabilities to the left in the DevOps process. At the same time, it has developed four major kinds of security service: network attack and defense logic deduction, in-depth threat hunting, security threat inspection, and regular security operations. Through the Threat Confrontation Operation Platform (XDR), multiple security products and services are integrated to effectively support the upgrade of comprehensive threat confrontation capabilities.
Antiy provides comprehensive security solutions for clients with high security requirements, including network and information authorities, military forces, ministries, confidential industries, and critical information infrastructure. Antiy has participated in the security work of major national political and social events since 2005 and has won honors such as the Outstanding Contribution Award and Advanced Security Group. Since 2015, Antiy’s products and services have provided security support for major spaceflight missions including manned spaceflight, lunar exploration, and space station docking, as well as significant missions such as the maiden flight of large aircraft, escort of main force ships, and Antarctic scientific research. We have received several thank-you letters from relevant departments.
Antiy is a core enabler of the global fundamental security supply chain. Nearly a hundred of the world’s leading security and IT enterprises have chosen Antiy as their partner of detection capability. At present, Antiy’s threat detection engine provides security detection capabilities for over 1.3 million network devices and over 3 billion smart terminal devices worldwide, which has become a “national-level” engine. As of now, Antiy has filed 1,877 patents in the field of cybersecurity and obtained 936 patents. It has been awarded the title of National Intellectual Property Advantage Enterprise and the 17th (2015) China Patent Excellence Award.
Antiy is an important enterprise node in China emergency response system and has provided early warning and comprehensive emergency response in major security threats and virus outbreaks such as “Code Red”, “Dvldr”, “Heartbleed”, “Bash Shellcode” and “WannaCry”. Antiy conducts continuous monitoring and in-depth analysis against dozens of advanced cyberspce threat actors (APT groups) such as “Equation”, “White Elephant”, “Lotus” and “Greenspot” and their attack actions, assisting customers to form effective protection when the enemy situation is accurately predicted.